WordPress Plugin Vulnerabilities

PowerPress Podcasting < 11.0.7 - Contributor+ SSRF

Description

The plugin does not validate a parameter before making a request to it via the powerpress_media_info AJAX action, which could allow Contributor and above role to perform SSRF attacks

Affects Plugins

Plugin icon
powerpress
Fixed in 11.0.7

References

CVE
CVE-2023-41239

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
7fe83e4b-7574-42b3-840f-a80badea2a18

Timeline

Publicly Published
2023-08-29 (about 2 years ago)
Added
2023-11-13 (about 2 years ago)
Last Updated
2023-11-13 (about 2 years ago)

Other

Published
Title
Published
2024-07-22
Title
AI Engine < 2.4.8 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2025-07-10
Title
Broken Link Notifier < 1.3.1 - Unauthenticated Server-Side Request Forgery
Published
2022-04-19
Title
External Media without Import <= 1.1.2 - Subscriber+ Blind SSRF
Published
2025-09-03
Title
WP Bannerize Pro < 1.11.0 - Authenticated (Editor+) Server-Side Request Forgery
Published
2021-04-13
Title
Import XML and RSS Feeds < 2.0.3 - Authenticated Server-side Request Forgery (SSRF)